Most organizations that enable users to perform Web transactions (e.g. banks and ecommerce sites) have implemented security controls to address online and mobile fraud. These controls fall into two buckets: transaction-focused intelligence, which looks for anomalous actions, and device-focused intelligence, which looks for a new device, a strange IP geo location, or signs that the device is infected with financial malware. Using these controls, organizations get to about 5-10% of high-risk scenarios that require a step-up authentication, such as secret questions and SMS one-time-passwords. Unfortunately, more than 20% of users fail step-up authentication.